Conjur Ansible Lookup Plugin and SSH Key File

JfcAtCyberArk · November 4, 2020, 2:05pm

Hi there,

I would like to know if anyone already managed to use the conjur-variable lookup plugin from the cyberark.conjur collection to fetch SSH Keys.

Use case: I’d like Ansible AWX to fetch SSH Keys (Managed inside CyberArk Vault) from CyberArk DAP/Conjur to connect to an Ansible dynamic inventory.

Option 1: using CyberArk Conjur Secret Lookup Credential Type and Machine Credential Type
It works fine but does not allow to parameterize the secret id given the hostname of the inventory host being configured.

Option 2 : using Job Template extra vars, Custom credential type and conjur-variable Lookup Plugin
it works fine with SSH

Custom credential type definition:

Input Configuration:

fields:
  - id: conjur_account
    type: string
    label: Organization Name in Conjur
  - id: conjur_version
    type: string
    label: Conjur Version
  - id: conjur_url
    type: string
    label: URL to Conjur Service
  - id: conjur_cert
    type: string
    label: PUBLIC KEY CERTIFICATE
    multiline: true  
  - id: conjur_authn_login
    type: string
    label: Host Login
  - id: conjur_authn_api_key
    type: string
    label: Host API Key
    secret: true
required:
  - conjur_account
  - conjur_url
  - conjur_authn_login
  - conjur_authn_api_key

Injector Configuration:

env:
  CONJUR_CONFIG_FILE: '{{ tower.filename.conf }}'
  CONJUR_IDENTITY_FILE: '{{ tower.filename.identity }}'
  CONJUR_CERT_FILE: '{{ tower.filename.cert }}'
file:
  template.conf: |-
    {
    "appliance_url": "{{ conjur_url }}",
    "account": "{{ conjur_account }}"
    }
  template.identity: "machine {{ conjur_url }}/authn\n\tlogin {{ conjur_authn_login }}\n\tpassword {{ conjur_authn_api_key }}"
  template.cert: "{{ conjur_cert }}"

Extra vars:

---
ansible_user: 'cloud-user'
ansible_password: "{{ lookup('conjur_variable', 'Vault/Cloud_Automation/CYBR_Unix_Cloud_Users/CYBR_UnixSSH-' + inventory_hostname + '-' + ansible_user + '/password') }}"

While it works like a charm with ansible_password (using SSH passwords) it does not work with SSH Keys.

ansible_ssh_pass and ansible_ssh_private_key_file don’t work.

Any ideas/comments?

Any help will be appreciated,

Many Thanks,

JFC

JfcAtCyberArk · November 13, 2020, 5:04pm

This PR: https://github.com/cyberark/ansible-conjur-collection/pull/51 should solve this.
It will allow to parameterize the SSH Key retrieved from CyberArk based on the inventory hostname without the need to modify playbooks.
The Key is fetched from Conjur/DAP

Thanks jcosteatcyberark for the contribution

Thanks,
JFC

system · November 20, 2020, 5:04pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ansible CyberArk Conjur Secret Lookup SSLError Conjur Enterprise conjur	2	321	December 4, 2023
CyberArk Conjur Secret Lookup - Ansible Secrets Management - Conjur, Secrets Hub & CP	13	2805	February 11, 2021
Securing Ansible Playbooks with Conjur Secrets Management - Conjur, Secrets Hub & CP	6	1683	October 8, 2019
How to Integrate Conjur OSS with Ansible Tower Secrets Management - Conjur, Secrets Hub & CP ansible , howto	2	659	August 20, 2020
Getting 401 error when using lookup('conjur_variable', 'secret/path') in ansible Secrets Management - Conjur, Secrets Hub & CP ansible	6	2679	April 10, 2020

Conjur Ansible Lookup Plugin and SSH Key File

Related topics